From 693259d8c12eeab2bc996fb5c7a2c78475dea7b3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Jan 2025 21:23:31 +0100 Subject: [PATCH] feat(profile): general update --- apparmor.d/groups/apt/apt-extracttemplates | 2 +- apparmor.d/groups/apt/dpkg-preconfigure | 1 + apparmor.d/groups/freedesktop/pipewire | 1 + apparmor.d/groups/freedesktop/xdg-dbus-proxy | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal | 3 +-- apparmor.d/groups/freedesktop/xdg-permission-store | 2 +- apparmor.d/groups/gnome/gdm-session-worker | 1 + apparmor.d/groups/kde/konsole | 7 +++++-- apparmor.d/groups/kde/xembedsniproxy | 2 ++ apparmor.d/groups/pacman/pacman | 2 ++ apparmor.d/groups/pacman/pacman-hook-systemd | 2 +- apparmor.d/groups/ssh/sftp-server | 3 +-- apparmor.d/groups/systemd/systemd-fsck | 2 +- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-rfkill | 2 +- apparmor.d/groups/virt/cockpit-session | 3 ++- apparmor.d/groups/virt/cockpit-ws | 2 ++ apparmor.d/groups/virt/dockerd | 11 ++++------- apparmor.d/profiles-m-r/mullvad-setup | 6 ++++-- apparmor.d/profiles-m-r/needrestart | 8 ++++++-- apparmor.d/profiles-s-z/update-alternatives | 2 ++ apparmor.d/profiles-s-z/virt-manager | 2 +- 22 files changed, 42 insertions(+), 25 deletions(-) diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index 2e41b10b..beb563f3 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/apt-extracttemplates +@{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates profile apt-extracttemplates @{exec_path} { include include diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index cf957ab4..34163333 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -34,6 +34,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/apt-extracttemplates rPx, @{bin}/whiptail rPx, + @{lib}/apt/apt-extracttemplates rPx, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index e2b1b22d..da4350d7 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -46,6 +46,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { / r, @{att}/ r, + owner @{att}// r, owner @{att}/.flatpak-info r, owner @{user_config_dirs}/pipewire/{,**} r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index e51f21e1..eaaa9076 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -28,6 +28,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{att}/@{HOME}/.var/app/** r, owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 57b17b65..80fa07ec 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -77,11 +77,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/user-dirs.dirs r, - @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/xdg-desktop-portal/* r, - owner @{tmp}/icon* rw, + owner @{tmp}/icon@{rand6} rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 08cfc840..ceca1e2b 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -43,7 +43,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, - owner @{user_share_dirs}/flatpak/db/desktop-used-apps r, + owner @{user_share_dirs}/flatpak/db/desktop-used-apps rw, owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 59e6df78..d98b764d 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -107,6 +107,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/ w, + @{run}/cockpit/active.issue r, @{run}/cockpit/inactive.motd r, owner @{run}/systemd/seats/seat@{int} r, owner @{run}/user/@{uid}/keyring/control rw, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 17ed13f2..8f9ff48d 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -74,8 +74,11 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/#@{int} rw, owner @{tmp}/konsole.@{rand6} rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/** rw, + + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/cgroup r, /dev/ptmx rw, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 969a82f6..6cb93163 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -21,6 +21,8 @@ profile xembedsniproxy @{exec_path} { owner @{tmp}/xauth_@{rand6} r, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + @{run}/user/@{uid}/xauth_@{rand6} rl, include if exists diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 8215e3f6..6c0e782f 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -99,6 +99,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/update-grub rPx, @{bin}/update-mime-database rPx, @{bin}/vercmp rix, + @{bin}/which rix, @{bin}/xmlcatalog rix, @{lib}/systemd/systemd-* rPx, @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rix, @@ -198,6 +199,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { signal receive set=winch peer=makepkg//sudo, @{pager_path} rPx -> child-pager, + @{bin}/systemd-tty-ask-password-agent rPx, /etc/machine-id r, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 6f154269..0878385c 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -46,7 +46,7 @@ profile pacman-hook-systemd @{exec_path} { capability net_admin, capability sys_resource, - signal send set=term peer=systemd-tty-ask-password-agent, + signal send set=(cont, term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index 3deddb09..a0fc3e2f 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -6,8 +6,7 @@ abi , include -@{exec_path} = @{lib}/openssh/sftp-server -@{exec_path} += @{lib}/ssh/sftp-server +@{exec_path} = @{lib}/{openssh,ssh}/sftp-server profile sftp-server @{exec_path} { include include diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck index a7290dc4..0680e0be 100644 --- a/apparmor.d/groups/systemd/systemd-fsck +++ b/apparmor.d/groups/systemd/systemd-fsck @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-fsck -profile systemd-fsck @{exec_path} { +profile systemd-fsck @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 3eaedfaa..7b271c9d 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -51,12 +51,12 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { /etc/networkd-dispatcher/carrier.d/{,*} r, @{att}/ r, + @{att}/@{run}/systemd/notify rw, owner @{att}/var/lib/systemd/network/ r, @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, - @{run}/systemd/notify rw, owner @{run}/systemd/netif/** rw, @{run}/udev/data/n@{int} r, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index ff9e2d54..552bd999 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-rfkill -profile systemd-rfkill @{exec_path} { +profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 67ecd800..5b67b14d 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -36,11 +36,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /etc/motd.d/ r, /etc/shells r, + @{att}/@{run}/systemd/sessions/*.ref rw, + @{run}/cockpit/active.motd r, @{run}/cockpit/inactive.motd r, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, - @{run}/systemd/sessions/*.ref rw, @{run}/utmp rwk, /var/log/btmp rw, diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index c78f63a6..2a685f04 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -9,9 +9,11 @@ include @{exec_path} = @{lib}/cockpit/cockpit-ws profile cockpit-ws @{exec_path} { include + include @{exec_path} mr, + @{sh_path} rix, @{lib}/cockpit/cockpit-session rPx, /usr/share/cockpit/{,**} r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 2ea35f7b..13f050c7 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -33,15 +33,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { network netlink raw, mount /tmp/containerd-mount@{int}/, - mount /var/lib/docker/buildkit/**/, - mount /var/lib/docker/overlay2/**/, - mount /var/lib/docker/tmp/buildkit-mount@{int}/, - mount fstype=overlay overlay -> /var/lib/docker/rootfs/overlayfs/@{hex64}/, + mount /var/lib/docker/**/, mount options=(rw bind) -> /run/docker/netns/*, - mount options=(rw rbind) -> /var/lib/docker/tmp/docker-builder@{int}/, - mount options=(rw rbind) /var/lib/docker/volumes/**/- -> /var/lib/docker/rootfs/overlayfs/**/, mount options=(rw rprivate) -> /.pivot_root@{int}/, - mount options=(rw rprivate) -> /var/lib/docker/rootfs/overlayfs/@{hex64}/var/lib/buildkit/, mount options=(rw rslave) -> /, remount /tmp/containerd-mount@{int10}/, @@ -90,6 +84,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner /var/lib/docker/{,**} rwk, owner /var/lib/docker/tmp/qemu-check@{int}/check rix, + /tmp/build/ w, + /tmp/containerd-mount@{int10}/{,**} rw, + owner @{run}/docker/ rw, owner @{run}/docker/** rwlk, owner @{run}/docker.pid rw, diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index d2bb2eb4..bc20a0f9 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -13,9 +13,11 @@ profile mullvad-setup @{exec_path} { @{exec_path} mr, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 56f95b58..4bc314b0 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -20,9 +20,9 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { capability kill, capability sys_ptrace, - ptrace (read), + ptrace read, - mqueue (r,getattr) type=posix /, + mqueue r type=posix /, @{exec_path} mrix, @@ -43,6 +43,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{lib}/needrestart/* rPx, /usr/share/debconf/frontend rix, + @{att}/@{lib}/python3.@{int}/** r, + /usr/share/needrestart/{,**} r, /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, @@ -60,6 +62,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { owner /var/lib/juju/agents/{,**} r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /tmp/@{word10}/ rw, + owner @{run}/sshd.pid r, @{PROC}/ r, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index a83e985d..8f08b74f 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -12,6 +12,8 @@ profile update-alternatives @{exec_path} { include include + capability dac_override, + @{exec_path} mr, @{bin}/* w, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 052192d8..af472b4d 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -31,7 +31,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{exec_path} rix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{bin}/python3.@{int} rix, @{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, @{bin}/ r,